API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
About WAAPBilling
Configure WAAP for a domainWAAP modesManage domains protected with WAAP
Protocol validationWAF and OWASP top threatsIP reputationBehavioral WAFAnti-automation and bot protectionCMS protectionCommon automated servicesAdvanced API protection
Allow and block IP addresses in firewall
Configure API access with reserved tags
Advanced rate limiting rulesAdvanced rule objects and attributesSource field objects
Create and manage custom rules
Reserved tagsPredefined tags
Create custom response pagesManage custom response pages
How does JavaScript injection work?What cookies are used by WAAP?What storage variables does WAAP use?
Enable and troubleshoot bot protectionTroubleshoot blocked usersTroubleshoot 5xx errors
API
Chosen image
Home/WAAP/WAAP rules/Advanced rules/Source field objects

Source field objects in advanced rule expressions

For the request, Whois, session, and user-agent objects, every string value should be enclosed in a single-quotes ' and not in double-quotes ".

request

Attribute Type Description Compiled source field
headers dict Request headers
ip string Client IP request.ip
request.ip == '117.20.32.5' ||
request.ip == '117.20.32.4'
uri string Domain's URI (URL path + arguments) request.uri
('/prehistoric/monotony/monotony.phtml' or '/amfphp/services') in request.uri
path string Domain’s URL path request.path
request.path in ['/process_neopet_desc.phtml', '/modify_neomessages.phtml']
method string HTTP method (uppercase). request.method
request.method == 'OPTION'
origin_ip string Web application server IP request.origin_ip
request.origin_ip == '120.36.54.1'
ja3 string TLS fingerprint. request.ja3
request.ja3 == 'e2925c27149b0d0dc34373d55040dde1' or request.ja3 == '3e9b20610098b6c9bff953856e58016a' or request.ja3 == '7d671906ed4a1edac3262a54676dacfa'
http_version string Represents HTTP version request.http_version
request.http_version in ['1.1']
is_api() function Returns true if the request is API request.is_api()
is_ajax() function Returns true if the request is AJAX request.is_ajax()
is_static() function Returns true if the request is static request.is_static()
ip_in_range function Returns true if client ip is within the specified range request.ip_in_range(, )
request.ip_in_range('72.21.217.0', '72.21.217.255') or request.ip_in_range('2409:4072:6c8c:e228:ecaf:ce2c:fd7d:0000', '2409:4072:6c8c:e228:ecaf:ce2c:fd7d:4780')
rate_limit function Returns true if the rate limit exceeded for these parameters (the scope is 'ip'/'cluster').
For parameter descriptions, check out the Rate limiting guide.		 rate_limit(
[ip , ...],
url ,
interval ,
requests ,
[method ,...],
[status_code ,...],
content_type ,
scope
)
example:
request.rate_limit([], '/', 5, 200, ['GET', 'HEAD'], [], 'text/html; charset=', 'ip')

whois

Attribute Type Description Compiled source field
country string Two-letter country code (uppercase). whois.country
whois.country in ['BR', 'VN', 'ID']
org string Organization name from the WHOIS database. whois.org
whois.org in ['Google Inc', 'Google Inc.', 'Google LLC', 'Google Incorporated']
owner_type string Owner type of the range. whois.owner_type
whois.owner_type != 'hosting services'

session

Attribute Type Description Compiled source field
request_counter int Sequential number of the request within the session. session.session_request_counter
session.request_counter > 1000
profiling_status string Client’s fingerprint profiling status.

Values:
  • Initiated: JavaScript was injected in the response and sent to the client for execution.
  • Executed once: JavaScript was executed, and WAAP received preliminary results.
  • Profiling error: An error occurred during profiling.
  • Profiling completed: Profiling completed without error.
  • Idle: All JavaScript tests and fingerprinting process completed.
session.profiling_status
session.profiling_status == 'idle'

response

Attribute Type Description Compiled source field
status int HTTP status code response.status
headers dict Response headers response.headers['Access-Control-Allow-Credentials'] == 'true'

tags

Attribute Type Description Compiled source field
exists(tag ) function Returns true if the tag exists. tags.exists()
tags.any([, …., ]) up to 10 tags
tags.all([, …., ]) up to 10 tags
tags.any(['proxynetwork','hostingservices'])
tags.exists('penalty')
any([tag , ...]) function Returns true if any of the tags exists.
all([tag , ...]) function Returns true if all tags exist.

user-agent

The ua_parsed table contains user agent information collected by WAAP from the source of the logged request.

Attribute Type Description Compiled source field
engine string The client engine. For example, Gecko. user_agent.engine
client string The name of the client. An example of client name is "Firefox". user_agent.client
client_type string The type of client. Optional values: Major Browser, NA, Lib, Crawler, Custom Browser, mobile app, Headless Browser, Bot, Application, mail client, Site Monitoring, RSS Reader, Game Console, Text Browser, Network Diagnostics, certificate authority, paying service. user_agent.client_type
'major browser' in user_agent.client_type
client_version string The client engine's version. user_agent.client_version
client_version_float string A possibly truncated version of the client browser engine's version. user_agent.client_version_float
os string The client computer's operating system. An example of os is "Mac OS X 10.14". user_agent.os
cpu string The client computer's CPU. An example of CPU is "Intel". user_agent.cpu
device string Information about the client device. An example of a device is "mac". user_agent.device
device_type string Additional information about the client device.

Optional values:
  • Web search engine bots
  • mobile
  • NA
  • SEO
  • Analytics or marketing bots
  • Preview bot
  • Media or entertainment search bots
  • Social media or blog bots
  • RSS seed reader bots
  • Site monitoring and web development bots
  • Web archiver bots
  • console
  • Job search engine bots
  • Online advertising bots
  • News aggregator bots
  • Academic or research bots
  • Desktop
  • Business intelligence bots
  • Automated shopping cart and sniper bots
  • Enterprise data aggregator bots
  • Media player
 user_agent.device_type
user_agent.device_type == 'na'

client_data

Attribute Type Description Compiled source field
fingerprint['hash'] dict A table that contains fingerprint information about the request (the information is collected by WAAP with injected JavaScript):
  • fp__hash of the client
  • fp__js of the client
  • fp__flash of the client
  • fp__header of the client

client_data.fingerprint == 'kvd8oxizrdl-41-37zpvwqrr-5tzoaavgfr7-v2osmr4iefe-noieo-90.3095389639745667' 		client_data.fingerprint['hash']client_data.fingerprint['hash'] == '9be394dca715eca8e42783397a507d2e'
fingerprint['js'] dict client_data.fingerprint['js']
fingerprint['flash'] dict client_data.fingerprint['flash']
fingerprint['header'] dict client_data.fingerprint['header']

Was this article helpful?

Edit on GitHub